Documentation should describe protection against repository corruption
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Bazaar |
Confirmed
|
Low
|
Unassigned | ||
| Breezy |
Triaged
|
Low
|
Unassigned | ||
Bug Description
I am evaluating bzr for use with a project that has fairly high security requirements. The online documentation does not describe whether or how the SHA1 digests would allow us to detect attacker attempts to modify the repository directly. I'm not worried about hash collisions...I'm willing to assume that if they change something the SHA1 will no longer match.
Would an attacker be modifying files, or commits (or both)? What bzr commands would detect that? status? update? check? commit? If someone changed a non-trunk branch, would normal day-to-day operations on trunk detect that damage that was "off to the side?"
In a perfect world, the documentation would include a point-by-point response to: http://
I'm creating a separate issue to request documentation of the gpg signing features.
| Martin Pool (mbp) wrote | #1 |
| Changed in bzr: | |
| importance: | Undecided → Low |
| status: | New → Confirmed |
| tags: | added: check-for-breezy |
| tags: |
added: documentation removed: check-for-breezy |
| Changed in brz: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
It would be good to document this more fully.
Fetching from one repository to another (pull, push, merge) will (modulo bugs, as always) detect inconsistent data. status only works in the working tree and will not check that the history is consistent.